| 1 |
commit: feb423dabdacb8a9a5e639f8d715e20aa3d8d4f2 |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Thu Nov 1 20:20:45 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Thu Nov 1 20:20:45 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=feb423da |
| 7 |
|
| 8 |
Further reshuffle additions into their own ifdef group |
| 9 |
|
| 10 |
--- |
| 11 |
policy/modules/contrib/mozilla.te | 197 +++++++++++++++++++------------------ |
| 12 |
1 files changed, 103 insertions(+), 94 deletions(-) |
| 13 |
|
| 14 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
| 15 |
index fca9e78..074676e 100644 |
| 16 |
--- a/policy/modules/contrib/mozilla.te |
| 17 |
+++ b/policy/modules/contrib/mozilla.te |
| 18 |
@@ -99,7 +99,6 @@ allow mozilla_t self:sem create_sem_perms; |
| 19 |
allow mozilla_t self:socket create_socket_perms; |
| 20 |
allow mozilla_t self:unix_stream_socket { accept listen }; |
| 21 |
|
| 22 |
-allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure }; |
| 23 |
allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; |
| 24 |
allow mozilla_t mozilla_plugin_t:fd use; |
| 25 |
|
| 26 |
@@ -114,7 +113,6 @@ userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") |
| 27 |
filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") |
| 28 |
|
| 29 |
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
| 30 |
-manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
| 31 |
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
| 32 |
files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) |
| 33 |
|
| 34 |
@@ -131,9 +129,9 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; |
| 35 |
stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) |
| 36 |
|
| 37 |
kernel_read_kernel_sysctls(mozilla_t) |
| 38 |
-kernel_read_net_sysctls(mozilla_t) |
| 39 |
kernel_read_network_state(mozilla_t) |
| 40 |
kernel_read_system_state(mozilla_t) |
| 41 |
+kernel_read_net_sysctls(mozilla_t) |
| 42 |
|
| 43 |
corecmd_list_bin(mozilla_t) |
| 44 |
corecmd_exec_shell(mozilla_t) |
| 45 |
@@ -144,9 +142,6 @@ corenet_all_recvfrom_netlabel(mozilla_t) |
| 46 |
corenet_tcp_sendrecv_generic_if(mozilla_t) |
| 47 |
corenet_tcp_sendrecv_generic_node(mozilla_t) |
| 48 |
|
| 49 |
-corenet_dontaudit_tcp_bind_generic_port(mozilla_t) |
| 50 |
-corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) |
| 51 |
- |
| 52 |
corenet_sendrecv_http_client_packets(mozilla_t) |
| 53 |
corenet_tcp_connect_http_port(mozilla_t) |
| 54 |
corenet_tcp_sendrecv_http_port(mozilla_t) |
| 55 |
@@ -175,10 +170,6 @@ corenet_sendrecv_speech_client_packets(mozilla_t) |
| 56 |
corenet_tcp_connect_speech_port(mozilla_t) |
| 57 |
corenet_tcp_sendrecv_speech_port(mozilla_t) |
| 58 |
|
| 59 |
-corenet_sendrecv_tor_client_packets(mozilla_t) |
| 60 |
-corenet_tcp_connect_tor_port(mozilla_t) |
| 61 |
-corenet_tcp_sendrecv_tor_port(mozilla_t) |
| 62 |
- |
| 63 |
dev_getattr_sysfs_dirs(mozilla_t) |
| 64 |
dev_read_sound(mozilla_t) |
| 65 |
dev_read_rand(mozilla_t) |
| 66 |
@@ -210,17 +201,88 @@ miscfiles_read_fonts(mozilla_t) |
| 67 |
miscfiles_read_localization(mozilla_t) |
| 68 |
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) |
| 69 |
|
| 70 |
-userdom_search_user_home_dirs(mozilla_t) |
| 71 |
userdom_use_user_ptys(mozilla_t) |
| 72 |
|
| 73 |
mozilla_run_plugin(mozilla_t, mozilla_roles) |
| 74 |
mozilla_run_plugin_config(mozilla_t, mozilla_roles) |
| 75 |
|
| 76 |
-xdg_manage_downloads_home(mozilla_t) |
| 77 |
- |
| 78 |
-xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) |
| 79 |
-xserver_dontaudit_read_xdm_tmp_files(mozilla_t) |
| 80 |
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) |
| 81 |
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t) |
| 82 |
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) |
| 83 |
+ |
| 84 |
+ifdef(`distro_gentoo',` |
| 85 |
+ allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure }; |
| 86 |
+ |
| 87 |
+ manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
| 88 |
+ |
| 89 |
+ corenet_dontaudit_tcp_bind_generic_port(mozilla_t) |
| 90 |
+ corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) |
| 91 |
+ corenet_sendrecv_tor_client_packets(mozilla_t) |
| 92 |
+ corenet_tcp_connect_tor_port(mozilla_t) |
| 93 |
+ corenet_tcp_sendrecv_tor_port(mozilla_t) |
| 94 |
+ |
| 95 |
+ userdom_search_user_home_dirs(mozilla_t) |
| 96 |
+ |
| 97 |
+ xdg_manage_downloads_home(mozilla_t) |
| 98 |
+ xdg_read_generic_config_home_files(mozilla_t) |
| 99 |
+ xdg_read_generic_data_home_files(mozilla_t) |
| 100 |
+ |
| 101 |
+ #xserver_common_x_domain_template(mozilla_t, mozilla_tmpfs_t) is this |
| 102 |
+ #not better than user_x_domain_template ? |
| 103 |
+ |
| 104 |
+ # main refpolicy does not make this distinction anymore |
| 105 |
+ # (allows manage rights automatically) |
| 106 |
+ tunable_policy(`mozilla_read_user_content',` |
| 107 |
+ userdom_list_user_tmp(mozilla_t) |
| 108 |
+ userdom_read_user_home_content_files(mozilla_t) |
| 109 |
+ userdom_read_user_home_content_symlinks(mozilla_t) |
| 110 |
+ userdom_read_user_tmp_files(mozilla_t) |
| 111 |
+ userdom_read_user_tmp_symlinks(mozilla_t) |
| 112 |
+ |
| 113 |
+ ifndef(`enable_mls',` |
| 114 |
+ fs_list_dos(mozilla_t) |
| 115 |
+ fs_read_dos_files(mozilla_t) |
| 116 |
+ fs_read_iso9660_files(mozilla_t) |
| 117 |
+ fs_read_removable_files(mozilla_t) |
| 118 |
+ fs_read_removable_symlinks(mozilla_t) |
| 119 |
+ fs_search_removable(mozilla_t) |
| 120 |
+ ') |
| 121 |
+ ',` |
| 122 |
+ files_dontaudit_list_home(mozilla_t) |
| 123 |
+ files_dontaudit_list_tmp(mozilla_t) |
| 124 |
+ |
| 125 |
+ fs_dontaudit_list_removable(mozilla_t) |
| 126 |
+ fs_dontaudit_read_removable_files(mozilla_t) |
| 127 |
+ |
| 128 |
+ userdom_dontaudit_list_user_home_dirs(mozilla_t) |
| 129 |
+ userdom_dontaudit_list_user_tmp(mozilla_t) |
| 130 |
+ userdom_dontaudit_read_user_home_content_files(mozilla_t) |
| 131 |
+ userdom_dontaudit_read_user_tmp_files(mozilla_t) |
| 132 |
+ ') |
| 133 |
+ |
| 134 |
+ optional_policy(` |
| 135 |
+ tunable_policy(`mozilla_use_java',` |
| 136 |
+ #java_noatsecure_domtrans(mozilla_t) |
| 137 |
+ # refpolicy method below, but we might want to introduce |
| 138 |
+ # specific domains for this (like mozilla_java_t)? TODO |
| 139 |
+ java_exec(mozilla_t) |
| 140 |
+ java_manage_generic_home_content(mozilla_t) |
| 141 |
+ ') |
| 142 |
+ |
| 143 |
+ java_home_filetrans_java_home(mozilla_t, dir, ".java") |
| 144 |
+ |
| 145 |
+ # Cannot handle optional_policy within tunable_policy |
| 146 |
+ optional_policy(` |
| 147 |
+ tunable_policy(`mozilla_use_java',` |
| 148 |
+ chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file) |
| 149 |
+ ') |
| 150 |
+ ') |
| 151 |
+ ') |
| 152 |
+ |
| 153 |
+ optional_policy(` |
| 154 |
+ nscd_socket_use(mozilla_t) |
| 155 |
+ ') |
| 156 |
+') |
| 157 |
|
| 158 |
tunable_policy(`allow_execmem',` |
| 159 |
allow mozilla_t self:process execmem; |
| 160 |
@@ -242,36 +304,6 @@ tunable_policy(`use_samba_home_dirs',` |
| 161 |
fs_manage_cifs_symlinks(mozilla_t) |
| 162 |
') |
| 163 |
|
| 164 |
-# Specific for Gentoo, main refpolicy does not make this distinction anymore |
| 165 |
-# (allows manage rights automatically) |
| 166 |
-tunable_policy(`mozilla_read_user_content',` |
| 167 |
- userdom_list_user_tmp(mozilla_t) |
| 168 |
- userdom_read_user_home_content_files(mozilla_t) |
| 169 |
- userdom_read_user_home_content_symlinks(mozilla_t) |
| 170 |
- userdom_read_user_tmp_files(mozilla_t) |
| 171 |
- userdom_read_user_tmp_symlinks(mozilla_t) |
| 172 |
- |
| 173 |
- ifndef(`enable_mls',` |
| 174 |
- fs_list_dos(mozilla_t) |
| 175 |
- fs_read_dos_files(mozilla_t) |
| 176 |
- fs_read_iso9660_files(mozilla_t) |
| 177 |
- fs_read_removable_files(mozilla_t) |
| 178 |
- fs_read_removable_symlinks(mozilla_t) |
| 179 |
- fs_search_removable(mozilla_t) |
| 180 |
- ') |
| 181 |
-',` |
| 182 |
- files_dontaudit_list_home(mozilla_t) |
| 183 |
- files_dontaudit_list_tmp(mozilla_t) |
| 184 |
- |
| 185 |
- fs_dontaudit_list_removable(mozilla_t) |
| 186 |
- fs_dontaudit_read_removable_files(mozilla_t) |
| 187 |
- |
| 188 |
- userdom_dontaudit_list_user_home_dirs(mozilla_t) |
| 189 |
- userdom_dontaudit_list_user_tmp(mozilla_t) |
| 190 |
- userdom_dontaudit_read_user_home_content_files(mozilla_t) |
| 191 |
- userdom_dontaudit_read_user_tmp_files(mozilla_t) |
| 192 |
-') |
| 193 |
- |
| 194 |
optional_policy(` |
| 195 |
apache_read_user_scripts(mozilla_t) |
| 196 |
apache_read_user_content(mozilla_t) |
| 197 |
@@ -314,25 +346,6 @@ optional_policy(` |
| 198 |
') |
| 199 |
|
| 200 |
optional_policy(` |
| 201 |
- tunable_policy(`mozilla_use_java',` |
| 202 |
- #java_noatsecure_domtrans(mozilla_t) |
| 203 |
- # refpolicy method below, but we might want to introduce |
| 204 |
- # specific domains for this (like mozilla_java_t)? TODO |
| 205 |
- java_exec(mozilla_t) |
| 206 |
- java_manage_generic_home_content(mozilla_t) |
| 207 |
- ') |
| 208 |
- |
| 209 |
- java_home_filetrans_java_home(mozilla_t, dir, ".java") |
| 210 |
- |
| 211 |
- # Cannot handle optional_policy within tunable_policy |
| 212 |
- optional_policy(` |
| 213 |
- tunable_policy(`mozilla_use_java',` |
| 214 |
- chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file) |
| 215 |
- ') |
| 216 |
- ') |
| 217 |
-') |
| 218 |
- |
| 219 |
-optional_policy(` |
| 220 |
lpd_run_lpr(mozilla_t, mozilla_roles) |
| 221 |
') |
| 222 |
|
| 223 |
@@ -343,10 +356,6 @@ optional_policy(` |
| 224 |
') |
| 225 |
|
| 226 |
optional_policy(` |
| 227 |
- nscd_socket_use(mozilla_t) |
| 228 |
-') |
| 229 |
- |
| 230 |
-optional_policy(` |
| 231 |
pulseaudio_role(mozilla_roles, mozilla_t) |
| 232 |
') |
| 233 |
|
| 234 |
@@ -354,11 +363,6 @@ optional_policy(` |
| 235 |
thunderbird_domtrans(mozilla_t) |
| 236 |
') |
| 237 |
|
| 238 |
-optional_policy(` |
| 239 |
- xdg_read_generic_config_home_files(mozilla_t) |
| 240 |
- xdg_read_generic_data_home_files(mozilla_t) |
| 241 |
-') |
| 242 |
- |
| 243 |
######################################## |
| 244 |
# |
| 245 |
# Plugin local policy |
| 246 |
@@ -367,12 +371,10 @@ optional_policy(` |
| 247 |
dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; |
| 248 |
allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; |
| 249 |
allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; |
| 250 |
-allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; |
| 251 |
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 252 |
allow mozilla_plugin_t self:sem create_sem_perms; |
| 253 |
allow mozilla_plugin_t self:shm create_shm_perms; |
| 254 |
allow mozilla_plugin_t self:tcp_socket { accept listen }; |
| 255 |
-allow mozilla_plugin_t self:udp_socket create_socket_perms; |
| 256 |
allow mozilla_plugin_t self:unix_dgram_socket sendto; |
| 257 |
allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; |
| 258 |
|
| 259 |
@@ -466,10 +468,6 @@ corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) |
| 260 |
corenet_tcp_connect_monopd_port(mozilla_plugin_t) |
| 261 |
corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) |
| 262 |
|
| 263 |
-corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) |
| 264 |
-corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) |
| 265 |
-corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) |
| 266 |
- |
| 267 |
corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) |
| 268 |
corenet_tcp_connect_soundd_port(mozilla_plugin_t) |
| 269 |
corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) |
| 270 |
@@ -521,16 +519,36 @@ auth_use_nsswitch(mozilla_plugin_t) |
| 271 |
|
| 272 |
logging_send_syslog_msg(mozilla_plugin_t) |
| 273 |
|
| 274 |
-miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) |
| 275 |
-miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) |
| 276 |
+miscfiles_read_localization(mozilla_plugin_t) |
| 277 |
miscfiles_read_fonts(mozilla_plugin_t) |
| 278 |
miscfiles_read_generic_certs(mozilla_plugin_t) |
| 279 |
-miscfiles_read_localization(mozilla_plugin_t) |
| 280 |
|
| 281 |
-userdom_dontaudit_use_user_terminals(mozilla_plugin_t) |
| 282 |
-userdom_rw_user_tmpfs_files(mozilla_plugin_t) |
| 283 |
+ifdef(`distro_gentoo',` |
| 284 |
+ allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; |
| 285 |
+ allow mozilla_plugin_t self:udp_socket create_socket_perms; |
| 286 |
|
| 287 |
-xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
| 288 |
+ corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) |
| 289 |
+ corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) |
| 290 |
+ corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) |
| 291 |
+ |
| 292 |
+ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) |
| 293 |
+ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) |
| 294 |
+ |
| 295 |
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t) |
| 296 |
+ userdom_rw_user_tmpfs_files(mozilla_plugin_t) |
| 297 |
+ |
| 298 |
+ xdg_read_generic_config_home_files(mozilla_plugin_t) |
| 299 |
+ |
| 300 |
+ xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
| 301 |
+ |
| 302 |
+ optional_policy(` |
| 303 |
+ alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
| 304 |
+ ') |
| 305 |
+ |
| 306 |
+ optional_policy(` |
| 307 |
+ flash_manage_home(mozilla_plugin_t) |
| 308 |
+ ') |
| 309 |
+') |
| 310 |
|
| 311 |
tunable_policy(`allow_execmem',` |
| 312 |
allow mozilla_plugin_t self:process execmem; |
| 313 |
@@ -554,7 +572,6 @@ tunable_policy(`use_samba_home_dirs',` |
| 314 |
|
| 315 |
optional_policy(` |
| 316 |
alsa_read_rw_config(mozilla_plugin_t) |
| 317 |
- alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
| 318 |
alsa_read_home_files(mozilla_plugin_t) |
| 319 |
') |
| 320 |
|
| 321 |
@@ -569,10 +586,6 @@ optional_policy(` |
| 322 |
') |
| 323 |
|
| 324 |
optional_policy(` |
| 325 |
- flash_manage_home(mozilla_plugin_t) |
| 326 |
-') |
| 327 |
- |
| 328 |
-optional_policy(` |
| 329 |
gnome_manage_generic_home_content(mozilla_plugin_t) |
| 330 |
gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") |
| 331 |
gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") |
| 332 |
@@ -608,10 +621,6 @@ optional_policy(` |
| 333 |
') |
| 334 |
|
| 335 |
optional_policy(` |
| 336 |
- xdg_read_generic_config_home_files(mozilla_plugin_t) |
| 337 |
-') |
| 338 |
- |
| 339 |
-optional_policy(` |
| 340 |
xserver_read_user_xauth(mozilla_plugin_t) |
| 341 |
xserver_read_xdm_pid(mozilla_plugin_t) |
| 342 |
xserver_stream_connect(mozilla_plugin_t) |
Archives